As discussed in Security integration with LDAP/active directory using the Domain Server, when an LDAP user logs in, there is a set of steps that occur. If any of these steps fail, the end result is that the user cannot login.
To diagnose possible causes using this article, you will require access to the security manager web application.
Verifying Proper Credentials
Have the user attempt to login using their user id and password. If they get a message indicating the user or password is invalid, you need to confirm they are not entering any other information, such as a a domain and that they have entered the proper credentials. It is also possible that they are not defined in the LDAP server instance being used. Follow the advanced instructions in How to troubleshoot Domain Server LDAP Security Integration. (REST access code WGS0002)
Unable to Login due to Missing Rights
If the user gets an error that shared searches is required, this indicates that the user credentials were okay but they did not resolve to any groups with this required GUI right. In most cases, it means they are not in any group. To check which groups they belong to, go to the User Manager in the security application and find their user id. (REST access code WGS0001)
Their ID should be present indicating it was auto-generated with a recent Modified time since the user just logged on. Anything else would typically indicate a configuration issue in the WorkGroup Server, such as incorrect security setting or the wrong database schema.
Select the user and Edit/Preview them to see their User Groups Tab.
In this case, the key element is the Assigned User Groups. The example above is an example of what it should show. In this case, Chris is a member of both the Credit and Finance groups. If you see a blank section like the one below, than no groups were found.
If groups are missing, one common cause is a missing Domain Server and/or matching Security groups. For example, let's say that the user was part of the Developers group in LDAP but this did not show above. To analyze this, go to User Group Management and select the Compare tool
When you compare, you will want to select differences and you should have a short list of groups. In the example below, there are 3 groups to review (*Agents can be ignored as it is internal only). The group Developers only exists in Secure which means that it will be filtered out by the domain and never be assigned to any users.
To correct, this the easiest option is to select it and then click on Add user group to Domain.
You can set the group, description and type such as shown below
Saving this will update the Domain Server and the difference will be removed.
For the remaining error, adding the group would be an option, but since this is a character mismatch, the easiest would be to correct the incorrect one.
Verification
The user must try to login again at this point and it should work. You can clarify by going back to user manager and repeating the verification process. The Developers group shows up at this point.
If the expected groups are showing up, but the user is still not able to login or execute the requests, then then the groups may not have the required rights or objects defined.